Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cors header not added auth/validator returns 403 #961

Open
lerminou opened this issue Jan 15, 2025 · 0 comments
Open

Cors header not added auth/validator returns 403 #961

lerminou opened this issue Jan 15, 2025 · 0 comments

Comments

@lerminou
Copy link

lerminou commented Jan 15, 2025
edited
Loading

Environment info:

  • KrakenD version: 2.6.1
  • System info: docker
  • Backend technology: Python

Describe the bug
The full krakend is working fine, great job.
Except when the auth/validator returns a 403 forbidden because the Keycloak JWT hasn't the good role.
In this case, the validator jose aborts directly without adding the cors headers.
So the browser refuses to render the response to the JS.

The preflight request is OK before that request

Your configuration file:

      {
        "$schema": "https://www.krakend.io/schema/v2.6/krakend.json",
        "version": 3,
        "output_encoding": "no-op",
        "extra_config": {
            {{ template "cors.tmpl" . }},
            "router": {
                "@comment": "The health endpoint checks do not show in the logs",
                "auto_options": true,
                "logger_skip_paths": [
                  "/__health"
                ]
            },
            "telemetry/logging": {
                "level": "{{ .env.logLevel }}",
                "prefix": "[KRAKEND]",
                "syslog": false,
                "stdout": true
            }
        },
        "endpoints": {{ template "endpoints.tmpl" . }}
      }
"security/cors": {
        "allow_origins":  [ "http*" ],
        "allow_methods": [
            "GET",
            "HEAD",
            "OPTIONS"
        ],
        "expose_headers": [
            "Content-Length",
            "Accept",
            "Access-Control-Allow-Origin"
        ],
        "allow_headers": [
            "Accept-Language",
            "Content-Type",
            "Authorization",
            "Access-Control-Allow-Origin"
        ],
        "allow_credentials": true,
        "debug": true
    }

[
        {
            "endpoint": "/trace/{plant_id}",
            "extra_config": {
                {{ template "auth.tmpl" . }}
            },
            "method": "GET",
            {{ template "headers.tmpl" . }},
            "backend": [
                {
                    "host": [ "http://api.{{ .env.namespace }}.svc.cluster.local" ],
                    "url_pattern": "/trace/{plant_id}"
                }
            ]
        }
    ]

"auth/validator": {
        "alg": "RS256",
        "roles_key_is_nested": true,
        "roles_key": "realm_access.roles",
        "roles": ["api"],
        "jwk_url": "{{ .env.authRealmUrl }}/protocol/openid-connect/certs",
        "propagate_claims": [
            ["sub", "x-auth-userid"],
            ["email", "x-auth-email"]
        ],
        "cache": true,
        "error_headers": true,
        "error_log_level": "DEBUG",
        "operation_debug": true
    }

Commands used
How did you start the software?
Kubernetes deployment with the krakend config file as a configmap

Expected behavior
the response has the cors headers for the react application

Logs

[KRAKEND] 2025/01/15 - 14:05:22.375 ▶ DEBUG [CORS] 2025/01/15 14:05:22   Preflight response headers: map[Access-Control-Allow-Credentials:[true] Access-Control-Allow-Headers:[Authorization, Content-Type, Okwindclient] Access-Control-Allow-Methods:[GET] Access-Control-Allow-Origin:[http://localhost:3000] Vary:[Origin, Access-Control-Request-Method, Access-Control-Request-Headers]]

[KRAKEND] 2025/01/15 - 14:05:22.402 ▶ DEBUG [CORS] 2025/01/15 14:05:22 Handler: Actual request
ders: map[Access-Control-Allow-Credentials:[true] Access-Control-Allow-Headers:[Authorization, Content-Type, Okwindclient] Access-Control-Allow-Methods:[GET] Access-Control-Allow-Origin:[http://localhost:3000] Vary:[Origin, Access-Control-Request-Method, Access-Control-Request-Headers]]

[KRAKEND] 2025/01/15 - 14:05:22.402 ▶ DEBUG [CORS] 2025/01/15 14:05:22   Actual response added headers: map[Access-Control-Allow-Credentials:[true] Access-Control-Allow-Origin:[http://localhost:3000] Access-Control-Expose-Headers:[Content-Length, Accept, Access-Control-Allow-Origin] Vary:[Origin]]
3000] Vary:[Origin, Access-Control-Request-Method, Access-Control-Request-Headers]]

[KRAKEND] 2025/01/15 - 14:05:22.402 ▶ ERROR [ENDPOINT: /trace/:plant_id][JWTValidator] Token sent by client does not have sufficient roles
[GIN] 2025/01/15 - 14:05:22 | 403 |     580.154µs |  185.135.124.29 | GET      "/trace/907"

Additional context
Add any other context about the problem here.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@lerminou